Any file cabinet purchased by Emory that includes a lock may be assumed to be secure unless it is obvious that it is defective. A cardboard box, of course, even if securely taped shut, would not be considered secure storage.

What is our responsibility for space and records belonging to or located at Grady/CHOA/VA?

We are responsible for walkthroughs of space that is owned or leased by Emory or under control of Emory personnel (e.g., private offices located in non-leased Grady space). In addition, we are responsible for inventorying paper and electronic media or information, regardless of its owner (Emory or another entity) that is in such spaces or has been entrusted temporarily to Emory personnel. To the extent we are unable to secure Emory information within non-Emory space in which it is located, we must arrange for the information to be transferred elsewhere and secured. With regard to non-Emory information located in non-Emory space and temporarily entrusted to Emory personnel, to the extent Emory personnel are unable to secure that information within that space, the information’s owner should be contacted for assistance in arranging secure storage. So, for example, an Emory faculty member with a private office located in Grady space that is not leased by Emory must inventory all media containing sensitive information that he or she has, including all media in that office. To the extent the office contains Emory-owned sensitive information (e.g., student records) that the faculty member is unable to secure without assistance, he or she should work with an Emory administrator to secure such information. If the information includes Grady patient records that the faculty member is unable to secure without assistance, he or or she should contact Grady administration for assistance in securing the records.

If a desktop is password protected, is it considered physically secure?

No, it is easy to remove the hard drive and access the information using another device. Information on such a desktop must be encrypted, appropriately destroyed, or transferred to a secure means of storage.

How much does PGP encryption cost?

$45.50 per computer. But the best practice is to store sensitive electronic information (or really any data that you want backed up) on a secure University or departmental server.

Has PGP encryption been done for all SOM computers?

No, it is an Emory University policy to do this only for laptops and desktops on which it is known that more than 500 records containing identifiable data are to be stored. http://policies.emory.edu/5.12

If no sensitive information is stored on a desktop but the desktop is used to access sensitive information on a secure server, does the desktop need to be physically secured?

No. As long as the sensitive information is not downloaded and stored on the computer’s local hard drive. An example is when you perform a “Save As” function and the target is the computer’s desktop.

Are University-run servers HIPAA compliant?

The University has a number of HIPAA compliant file server options.

Should steps be taken to enhance building security where there are significant opportunities for improvement?

Yes, definitely. But those steps are likely not relevant to the determination of whether sensitive information in those buildings is considered physically secure for purposes of this Search and Secure initiative because there will almost certainly be some entrants to the building who lack authority to access the sensitive information it contains.

Must we inspect commercially contracted off-site storage facilities such as Iron Mountain to determine whether those records are physically secure?

Generally not. The use of commercial secure storage specifically designed for general security needs will qualify as physically secure. However, for smaller commercial providers other than Iron Mountain, it would be best to confirm the physical controls they provided by reference to the contract or other documentation of what is provided. If sensitive ePHI information is stored there, that vendor should have a Business Associate Agreement (BAA) with Emory. In addition, if offsite non-commercial storage is used within Emory, such as on the Briarcliff campus, those facilities should be evaluated and their physical controls should be confirmed.

Does Emory have responsibility to inventory and secure VA medical records in the control of a VA-employed faculty member?

Yes, but only when and to the extent such records are entrusted to their exclusive control (e.g., taken into their private office at the VA). If the records cannot be secured within the space in which they are located, VA administration should be contacted to assist in identifying a secure disposition.

What should be done if some media containing sensitive information can¿t be physically secured by the applicable deadline?

This should be documented in the inventory with the reason noted as to why compliance is not possible. The attestation includes language excludes from its scope items noted as not secured in the inventory.

Can bulk purchase of cable locks be coordinated at the institutional level to secure a better price?

Yes, this is likely feasible, but keep in mind that storage of information on desktop and laptop hard drives is not best practice and should be avoided whenever possible. The better solution may be to move this information to a secure server or encrypt it.

What level of detail must be provided for purposes of identifying inventoried media?

Generally, items must be identified in general terms only. However, more specific information may be necessary when media is combined in a secure space, in order to ensure that people can identify the media they need and will not take other items that may contain information they are not authorized to access.

Are academic departments responsible for surveying the residents and postdocs assigned to them?

Yes.

Are academic departments responsible for surveying medical students doing clerkships?

No. Surveying of medical students will be done centrally by OMESA.

Must residents completing their residency in June be surveyed?

No, residents completing their residency in June need not be surveyed.

Must volunteer faculty be included?

If they have the potential to have access to sensitive information in your Department’s space or computers, they should be surveyed.

How will the Search and Secure initiative be coordinated between SOM and EHC?

SOM and EHC are each charged with surveying their employees. Some SOM personnel, including clinical faculty who practice in EHC facilities, may be surveyed by EHC as well as the SOM. The scope of the SOM survey, however, excludes sensitive information that belongs to Emory Healthcare, including Emory Healthcare patient information, or that is located in an Emory Healthcare facility. Such information should be reported to Emory Healthcare rather than to the SOM. This distinction is intended to ensure that all information is reported to the appropriate Emory entity.